June 3, 2013    /    by

States' top cyber challenge remains spear phishing

Yes, spear phishing is hot all over the USA - very hot. In fact, this threat may be #1 on the list.

Last fall, one Huffington Post headline read: “White House Hacked In Cyber Attack That Used Spear-Phishing To Crack Unclassified Network.”

 Earlier this year, the Federal Times led with the article: Feds’ chief cyberthreat: spear phishing attacks. They described it this way: “The weapon of choice for most cyber hackers is a malicious email disguised as a friendly email.”

Yes, spear phishing is hot all over the USA – very hot.

In March 2013, Allan Paller, director of research at the SANS Institute, said that 95% of all attacks on enterprise networks are the result of successful spear phishing.

And this cyberthreat goes back a ways. Pop quiz…

When did spear phishing become such a big problem – even reaching “epidemic” proportions?

a) 2011

b) 2009

c) 2007

d) 2005

e) 2003

(The answer is at the end of this blog – but it wasn’t in 2012).

Definitions Please:

 Spear phishing is cyber fraud that targets a specific organization, seeking unauthorized access to confidential data. While most spear phishing attempts come via email, other social media messages are often used to get users to click on links.

What does spear phishing look like? Over the past few months, the State of Michigan employees have received emails that look “official” but are in reality spear phishing attempts. That is, they appear to come from trusted sources and look as if they are written as work-related - specifically for state government employees.

These hostile messages got around our spam filter and ended up in user mailboxes. One messages was very convincing and appeared to be from our internal help desk or customer support organization. For example, the email read: “Your mailbox is full, but we can help. If you click on this link and answer a few questions, we’ll reset your account.”

If one case, an email was sent to several thousand employees. When an end user clicked on the link, a screen popped up asking for account details and password information. Sadly, many employees took the bait, clicked on the link and sent in their computer account details.

Fortunately, we were ready. Our security and technology teams activated procedures to reset passwords and ensure that accounts were not compromised. If account information was compromised (with username and password falling into the wrong hands), that information could be used to cause a breach of sensitive information contained in government databases.

In one case, we had to reset passwords for over a thousand user accounts as a result of a spear phishing attack. And we have seen several smaller spear phishing incidents this year as well.

How Frequent is Spear Phishing?

And this is not unique to Michigan. Remember, the South Carolina breach started with a spear phishing attack.

A few weeks back, the MS-ISAC held a “Hot Topics” webcast for government members only. The topic was dealing with spear phishing, and many recent examples were shared from all over the country. What was clear is that spear phishing attacks are happening more than ever before. Examples from Delaware, Arkansas, Washington State and Michigan were given, and many attendees shared stories from other states as well. (State and local government members can access the taped webcast on the MS-ISAC portal.)

What is clear is that, despite the fact that spear phishing has been around for a while, this issue needs to be addressed as a higher priority for the public and private sectors - now. Whether you are in a small or large organization, these constantly refined spear phishing techniques are becoming more and more targeted to unique organizations. Sometimes, the emails even use logos or language which comes straight from technology and security teams.

What Can Be Done to Help?

There is no doubt that stopping spear phishing is not a “sexy” topic or thought of as especially difficult to solve by most cybersecurity pros – at least not initially. Spam emails, bank email phishing campaigns and spear-phishing have been around for years. The current tendency is to do a bit of training, put anti-spam or anti-phishing technologies in place and just hope for the best. But is that enough?

Many organizations also have a suspected email fraud mailbox – and this can be an effective tool. (The State of Michigan has one of these and gets hundreds of emails a month sent to the mailbox.) That is, end-users can send suspected bad emails to a specific email address and a team of experts with tools determine if the message is legit.

Back in 2007, SANS listed some steps that end users can take to combat spear phishing – most of which still apply today.

Jason Clark, a respected colleague and CSO of Websense wrote this article back in December 2012 listing eleven tips that enterprises can take to help.  Here is an excerpt:

1. Inbound email sandboxing:

Deploy a solution that checks the safety of an emailed link when a user clicks
on it. This protects against a new phishing tactic that I've seen from
cybercriminals. Bad guys send a brand new URL in an email to their targets to
get through the organization's email security. The other tactic is when they
inject malicious code into the website right after delivery of the email URL.
This URL will get past any standard spam solution.

2. Real-time analysis and inspection of your
web traffic:


First, stop malicious URLs from even getting to your users' corporate inboxes
at your gateway. Even if you have inbound email sandboxing for your corporate
email, some users might click on a malicious link through a personal email
account, like Gmail. In that case, your corporate email spear-phishing
protection is unable to see the traffic. Bottom line: your web security gateway
needs to be intelligent, analyze content in real time, and be 98 percent
effective at stopping malware.

3. Employee behavior:

The human element is incredibly important. Many CSOs that I've spoken with are
adopting employee testing programs with Phishme.com (Editor's note: Clark is on
the executive board of PhishMe Inc.), and do this training on-going basis. The
result isn't really employee education or security awareness —it's behavior
modification. See my five employee behavior tips below.

So when did all of this spear phishing first become such a big issue? It has been a major problem since at least 2005 (answer d). A techspot.com article stating: “Spear phishing reaches epidemic levels” was released in 2005.

No doubt – we’re seeing even more examples in government in 2013. So if you aren’t dealing with spear phishing wherever you are working – perhaps you are not looking in the right places. Government security pros must be ready, have a plan and take action.

Any spear phishing stories to tell?